[Work In Progress] OPNsense Ported into ARM Devices

[nekoprog]

Hello, I would like to say thank you to OPNsense developers for creating this awesome firewall. I would like to mention that OPNsense is working great on Raspberry Pi 2, using image created by opnsense/tools with the latest PR. The only problem is that there is no repo for updates or installing plugins. Other than that it works just like on x86/64 hardware. I also tried UnboundBL plugin and it works too. I hope that plugin will go official any time soon.

If anyone ask why use RPI2 because it only has one LAN port, I would say that it doesn't matter because I use Netgear Aircard 320U for WWAN and use LAN port with D-Link DAP-1360 wifi AP.

With this as proof of concept, I hope other users/contributors/developers can use the template on opnsense/tools to port OPNsense to other ARM devices.

• OPNsense ARM Images [DOWNLOADS]
• Update Repo, edit /usr/local/etc/pkg/repos/OPNsense.conf:

Code Select Expand

OPNsense: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/OPNsense",
  url: "http://neko.progr.am/pieSense/${ABI}/19.1/latest",
  signature_type: "NONE",
  mirror_type: "NONE",
  priority: 11,
  enabled: yes
}

• How to make your own ARM image

Code Select Expand

Minimum required build system:
64bit multicore processor, 4GB RAM and 25GB disk space.

Supported 32-bit ARM devices (arm:armv6):
1. Banana Pi (bpi)
2. Raspberry Pi2 (rpi2)


Supported 64-bit ARM devices (arm64:aarch64):
1. NanoPi NEO2 (nanopi-neo2)
2. Orange Pi PC2 (orangepi-pc2)
3. Raspberry Pi3 (rpi3)


Build steps:
# pkg install git
# cd /usr
# git clone https://github.com/opnsense/tools
# cd tools
# make update
# make xtools base kernel packages arm-3G DEVICE=(product-device)


Everyone is invited to share ideas and help with porting ARM devices using the device config templates on OPNsense/tools.

Wishlist (Needs uboot slave file in ports to make it work)

#	Device	defconfig	dtb
1	ESPRESSObin	??	armada-3720-espressobin.dtb | armada-3720-community.dtb
2	MACCHIATObin	??	armada-8040-mcbin-single-shot.dtb | armada-8040-mcbin.dtb
3	Libre Computer Tritium H5	libretech_all_h3_cc_h5_defconfig	sun50i-h5-libretech-all-h3-cc.dtb
4	Odroid XU3/4	odroid-xu3_defconfig	exynos5422-odroidxu3.dtb
6	NanoPi R1	nanopi_r1_defconfig	sun8i-h3-nanopi-r1.dtb

[monstermania]

Hi,
sounds very interesting!
Do you know, if your image would work for RPI3, too?

best regards
Dirk

[nekoprog]

Hi,
sounds very interesting!
Do you know, if your image would work for RPI3, too?

best regards
Dirk

Hi, no. The attached .img was build specific for RPI2. But you can build RPI3 image using opnsense/tools. Franco just recently merged the PR to make the image bootable. But it still not tested yet because I don't own RPI3.

Hope you can test the code, see if it works or not. If not, we can still contribute something to make it work.

[lattera]

I'd be more than happy to help test! I've got several RPI3 boards gathering dust.

If I get some spare time this week and/or next, I'll test on the RPI3.

[chemlud]

Fun to see this old topic is still alive! I think I would also prefer raspi 3 as the "old" image in raspi 1 was vvvveerryyyy slow...

https://forum.opnsense.org/index.php?topic=6099.msg25545#msg25545

:-D

[nekoprog]

I'd be more than happy to help test! I've got several RPI3 boards gathering dust.

If I get some spare time this week and/or next, I'll test on the RPI3.

Thanks. If it doesn't work, I guess UBLDR_LOADADDR=0x200 on device/rpi3.conf is not correct.

Fun to see this old topic is still alive! I think I would also prefer raspi 3 as the "old" image in raspi 1 was vvvveerryyyy slow...

https://forum.opnsense.org/index.php?topic=6099.msg25545#msg25545

:-D

Franco's code is already working fine to begin with, just a minor tweaking and it works well.

[monstermania]

I think I would also prefer raspi 3 as the "old" image in raspi 1 was vvvveerryyyy slow...

Me too!  ;)
Also very interested of the performance on RPI3...
Of course a working image for Esspresso.bin would be nice!!!  ;D ;D ;D

[chemlud]

...still dreaming of ducktaping a raspi to my laptop as a firewall/wifi access while traveling. Powering raspi from laptop would be fun, but a small power bank would be acceptable, too :-D

Currently I use a rather big old box with a wifi stick. 

[nekoprog]

I think I would also prefer raspi 3 as the "old" image in raspi 1 was vvvveerryyyy slow...

Me too!  ;)
Also very interested of the performance on RPI3...
Of course a working image for Esspresso.bin would be nice!!!  ;D ;D ;D

If espressobin supported by freebsd, it should work with opnsense, just need to add device config and compile.

...still dreaming of ducktaping a raspi to my laptop as a firewall/wifi access while traveling. Powering raspi from laptop would be fun, but a small power bank would be acceptable, too :-D

Currently I use a rather big old box with a wifi stick. 

Currenly using RPI2 to run suricata and unboundbl, works great with additional swap file. Still works better than using ipfire or openwrt. More to come with the plugins and update repo. I can see a future of opnsense with wide range of highend (multicore processor + 4GB and above of ram) arm SBC supported.

[chemlud]

Is it this Aircard:

https://www.hackster.io/beame-io/how-to-use-an-off-the-shelf-4g-usb-module-with-raspberry-pi-c5c30f


...I only have a Telekom Speedstick LTE V (Huawei E3372s -153), any chance to get that working with the raspi 2? :-)

[nekoprog]

Is it this Aircard:

https://www.hackster.io/beame-io/how-to-use-an-off-the-shelf-4g-usb-module-with-raspberry-pi-c5c30f


...I only have a Telekom Speedstick LTE V (Huawei E3372s -153), any chance to get that working with the raspi 2? :-)

Looks like same model, but different branding, I guess it's ISP branded air card and not generic one. If possible buy a generic unlocked usb modem and can connect using PPP effortlessly.

Most Huawei usb modem supported by open source distro, I guess freebsd already has a support for it. Just shove it into usb port and open Interface>WAN>IP Configuration Type>PPP and select the correct modem port.

[Antaris]

Good news. I also have SBC, but still not supported by BSD.
It's a Libre Computer Tritium H5 2GB:

https://libre.computer/2019/02/07/linux-4-19-lts-images-for-tritium/

It only have support on Ubuntu, Debian and Armbian for now.

[chemlud]

I only have a Telekom Speedstick LTE V (Huawei E3372s -153), any chance to get that working with the raspi 2? :-)

Most Huawei usb modem supported by open source distro, I guess freebsd already has a support for it. Just shove it into usb port and open Interface>WAN>IP Configuration Type>PPP and select the correct modem port.

Can confirm this Huawei works, I created a PPP interface with cuaU0.1 and added Z as "init String" under Advanced Options, assigned it to WAN and works like a charm... Will test with the raspi soonish. :-)

[franco]

I'd like to thank nekoprog for the work done with the ARM ports. Very useful and robust now. :)

Next step is actually the long-promised BPI image and then come 20.1 we'll have to see what we can do when i386 is being dropped from our supported list...


Cheers,
Franco

[nekoprog]

Good news. I also have SBC, but still not supported by BSD.
It's a Libre Computer Tritium H5 2GB:

https://libre.computer/2019/02/07/linux-4-19-lts-images-for-tritium/

It only have support on Ubuntu, Debian and Armbian for now.

Looks like a great device with crypto support. Not sure if FreeBSD already have a supported device that has the same hardware. If they do, maybe can port it's uboot into Tritium.

Can confirm this Huawei works, I created a PPP interface with cuaU0.1 and added Z as "init String" under Advanced Options, assigned it to WAN and works like a charm... Will test with the raspi soonish. :-)

That's great. Huawei modem always have a good support from open source community. If you have RPI3, try test using that, would like to know how good it will performs.

I'd like to thank nekoprog for the work done with the ARM ports. Very useful and robust now. :)

Next step is actually the long-promised BPI image and then come 20.1 we'll have to see what we can do when i386 is being dropped from our supported list...


Cheers,
Franco

No problem, I'm glad to be able to contribute back. If I have any other SBC with 64bit arch, I will help with porting and testing.